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Abstract — The Alternating Step(r, s) Generator, ASG(r, s), is 
a clock-controlled sequence generator which is recently proposed 
by A. Kanso. It consists of three registers of length I, m and n bits. 
The first register controls the clocking of the two others. The two 
other registers are clocked r times (or not clocked) (resp. s times 
or not clocked) depending on the clock-control bit in the first 
register. The special case r = s = 1 is the original and well known 
Alternating Step Generator. Kanso claims there is no efficient 
attack against the ASG(r, s) since r and s are kept secret. In this 
paper, we present an Alternating Step Generator, ASG, model for 
the ASG(r, s) and also we present a new and efficient algebraic 
attack on ASG(r, s) using 3(m + n) bits of the output sequence 
to find the secret key with 0{{m'^ + n^)2''+^ +m^2™-^ +n^2""^) 
computational complexity. We show that this system is no more 
secure than the original ASG, in contrast to the claim of the 
ASG(r, s)'s constructor. 

I. Introduction 

The goal in stream cipher design is to efficiently produce 
pseudorandom sequences which should be indistinguishable 
from truly random sequences. From a cryptanalysis point of 
view, a good stream cipher should be resistant against a known- 
plaintext attack. In this kind of attack, the cryptanalyst is given 
a plaintext and the corresponding ciphertext, and the task is 
to determine the secret key. For a synchronous stream cipher, 
this is equivalent to the problem of finding the secret key or 
initial state that produced a given keystream output. 

In stream cipher design, one usually uses Linear Feedback 
Shift Registers, LFSRs, as building block in different ways, 
and the secret key is often used as the initial state of the 
LFSRs. A general methodology for producing random-like 
sequences from LFSRs that has been popular is using the 
output of one or more LFSRs to control the clock of other 
LFSRs. The purpose is to destroy the linearity of the LFSR 
sequences and hence provide the resulting sequence with 
a large linear complexity. This structure is called a Clock- 
Controlled Generator which has several different types, e.g., 
Stop/Go Generator ||2|, Stepl/Step2 Generator (3], Shrink- 
ing Generator |4|, Self-Shrinking Generator Pl, and Jump 
Register which is proposed recently in |;6J-|j8J and it is used 
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in some candidates to the European ECRYPT/e STREAM |,9| 
project, e.g., Pomaranch pO) and Mickey 1 11 1. 

An Alternating Step Generator (ASG), a well-known stream 
cipher proposed in p2| , consists of a regularly clocked binary 
LFSR, A, and two Stop/Go clocked binary LFSRs, B and C. At 
each time, the clock-control bit from A determines which one 
of the two Stop/Go LFSRs is clocked, and the output sequence 
is obtained as bit-wise sum of the two Stop/Go clocked LFSR 
sequences. 

ASG(r, s) proposed in |l] is a general form of an original 
ASG which will be described in the next section. The differ- 
ence is that B and C are shifted r and s times, respectively, 
where r and s are part of the secret key. As far as we know, 
there is presently no efficient general attack on this algorithm. 
In this paper, we propose an algebraic attack on this algorithm 
and we will show that its security is no more than the security 
of the original ASG, in contrast to the constructor's claim. 

In Section II, a brief description of the ASG(r, s) will be 
presented and in Section III, the security of the ASG(r, s) is 
investigated from the author's point of view. We model the 
ASG(r, s) to an original ASG in Section IV and according 
to this model, we will present our attack in Section V and 
conclude in Section VI. 

II. Description of the ASG(r, s) 

The Alternating Step(r, s) Generator, ASG(r, s), is a clock- 
controlled based stream cipher and it is similar to the original 
ASG but the clock-controlled LFSR B and C jump r and s 
steps respectively instead of in a Stop/Go manner. 

ASG(r, s) is composed of a regularly clocked FSR, A, and 
two clock-controlled FSR's, B and C. At each time, the clock- 
control bit from A, e.g., 0*'' cell, determines which of the two 
FSR's is clocked. B is clocked by the constant integer r and 
C is not clocked if the content of the 0*'^ cell of A is '1', 
otherwise, B is not clocked and C is clocked by the constant 
integer s. FSR A is called the Control Register and FSRs B 
and C are called the Generating Registers. The output bits of 
the ASG(r, s) are produced by adding modulo 2 the output 
bits of FSRs B and C under the control of FSR A. Kanso has 
recommended using a FSR A with a de-Bruijn output sequence 
of span I 1 14 1 and Primitive Linear Feedback Shift Register 
(LFSR) for generating registers B and C with length m and n 
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bits respectively which is illustrated in fig. [T] He proved that 
when the values of m and n are satisfying gcd(m, n) = 1, and 
the values of r and s are satisfying gcd(r, 2™ — 1) = 1 and 
gcd(s, 2" — 1) ~ 1, then the period of the output sequences is 
equal to 2' (2™ - 1)(2" - 1) and the Unear complexity (Li) of 
the output sequence satisfies (m + n)2'~^ < Li < {m + n)2''. 
The initial states of registers and the number of jumps, r and 
s, are the secret key. This structure is considered in the whole 
paper and in our attack. 

III. SECURITY OF THE ASG(r,s) 

Kanso claims in |jT| that his structure, ASG(r, s), is secure 
against all known attacks so far. The output sequence of 
the ASG(r, s) is the XOR of its two irregularly decimated 
generating sequences. Thus, he claims one could not expect 
a strong correlation to be obtained efficiently, especially, if 
the primitive feedback polynomials of high Hamming weight 
are associated with the feedback functions of the generating 
registers B and C f23 \. Furthermore, the values of r and s are 
considered as part of the secret key. Then, ASG(r, s) appears 
to be secure against all correlation attacks introduced in pO) , 
I|23)-||3ll- 

Kanso also made the claim that ASG(r, s) is secure against 
algebraic attacks 1 13 1 and the complexity of this attack is equal 
to 0{{m^ + n^)$2'|^ where <i> = $i<i>2, 'I'l is the number of 
possible values for r such that gcd(r, 2™—!) = 1 and $2 is the 
number of possible values for s such that gcd(s, 2" — 1) = 1. 
This attack takes approximately 0((m'^+n'^)2™"''"+'^^) steps 
using the estimate $1 = 2™^^ and <1>2 = 2"~^. Therefore, the 
ASG(r, s) appears to be secure against this attack. 

IV. ASG MODEL FOR THE ASG(r,s) 

Throughout the paper, we refer to the output sequence of 
registers A, B and C by a = aq, ai, at, b = bo,bi, ...,bi 
and c = Co,Ci, ...,Cj respectively. Furthermore, we refer to 
the output sequence of the ASG(r, s) hy z — zq, zi, zt- Let 
Sa{t), Sb{t) and Sc{t) denote the internal states of registers 
A, B and C at time t respectively, and let Sa{0), Sb{0) and 
5c (0) denote their initial states. As the finite state machine is 
linear, the state transition can be described by a matrix which is 
the companion matrix for an LFSR. We refer to the transition 
matrix of registers B and C by Tf, and Tc and we suppose that 

'in [ij, it is mentioned that this complexity is 0{^2'Tn^n^) which is not 



the matrixes Tf, and Tc are known in the rest of the paper So, 
we have: 

Sb{t)^Sbit-i)n = Sb{o)Ti, (1) 

Sc{t) ^ Sc{t - l)Tc ^ SMTl (2) 
Suppose that zt = bi (B Cj, so we have: 

zt+i = {h+r ® Cj)at ® {bi ® Cj+,){at ® 1). (3) 

Suppose that the first output bits of registers B and C are 
denoted by 60 and co. It is clear that only the bits in positions 
i = pr and j ^ qs are chosen from the regular output 
sequence of registers B and C respectively and other bits are 
discarded. In other words, the keystream output sequence (zf) 
is constructed by a combination of two r-decimated and s- 
decimated sequences derived from the regular output sequence 
of B and C. We refer to these irregular sequences by /3 and A 
respectively. So, we have; /3 = /3o, A = 5o, ^ir, &tr, 
such that Pt = bfr, for all i > and A — Ao,Ai,...,At ~ 
co,cis, ■■■,cts, such that At = cts, for all t > 0. 

The constructor Kanso fl^ recommended that each register 
B and C should be an LFSR with output being an m-sequence. 
According to the following well known theorem from p4) , 
both (3 and A are m-sequences as well. 

Theorem 1: Let 6 be a binary maximum-length sequence 
(m-sequence) with periodicity (2™ — 1). Let /3 be a sequence 
obtained by sampling every r*^ bit of b, starting with the first 
bit of b. Then (3 is again a m-sequence with the same period, 
if and only if gcd(r, 2™ - 1) = L 

This means that we can model the clock-controlled LF- 
SRs B and C, by new regular LFSRs, B^ and C^, with 
transition matrixes T/3 and T\ and regular output sequences 
13 = (3o, I3i, Pt and A = Aq, Ai, At respectively. In other 
words, the sequences (3 and A can be regenerated by the same 
length registers but different feedback polynomials. For their 
internal states, we have: 



(4) 
(5) 



If Eb and Ec denote the vectors which choose the last bit of 
registers B and C's internal states as an output bit, we can 
write that: 

(6) 



(3t = Sp{t)Eb = SpiO)TlEb, 
At = Sxit)Ec = Sx{0)TlEc. 



(7) 



Suppose that i ~ pr and j ~ qs, so we can rewrite (j3]l as 
follow: 



TABLE I 

The Complexity Of Previous Attacks Against The Original ASG 



zt+i = {Pp+i ® Xq)at ® (/3p ® \+i){at ® 1). 



(8) 



It can be recognized easily that ([8]) describes an original ASG 
whose output (zt) is composed of (3 and A under the control 
of at- So, we can model the ASG(r, s) to the original ASG 
described in ([8]) which is illustrated in fig. |2] In the next 
section, we will use this model and algebraic techniques to 
attack the ASG(r, s). 

Several attacks have been proposed on the original ASG in 
the literature, but most of them do not affect the security of 
the ASG(r, s). Our idea can be applied to the original ASG, 
but it is not better than the previous attacks in contrast to the 
ASG(r,s). 

Table [l] shows the complexity of the previous attacks and 
our attack on the original ASG. In table |l] the first column 
shows the name of the previous attacks against the original 
ASG and the second column shows the Minimum Keystream 
Length Requirement (MKLR). The third column shows the 
total complexity and the last column shows the complexity of 
the attack in the case when I = rn = n — 64. In table U and 
table |llj L and M is equal to (/ + m + n) and max {m, n} 
respectively, and also we have F = 1 — 1/(0. 19m + 3.1). 

We can see easily from table |I]that the Johansson's reduced 
complexity attack |20J is the best existing attack on the 
original ASG so far. For this reason, we briefly describe this 
attack and try to apply it to the ASG(r, s). In the Johansson's 
reduced complexity attacks, the adversary waits for a segment 
of AI consecutive zeros (or ones) in the output sequence of 
the ASG. If m < n, then the adversary assumes that exactly 
M/2 of them are from LFSR B. This is true with probability: 

The remaining (m — M /2) bits of LFSR B are found by 
exhaustive search. The optimal complexity of this attack on 
the original ASG is 0{m'^2^"'^^). 

This attack can not be applied to the ASG(7', s), because 
its main assumption, that exactly M/2 bits of the 7\jf-bits 
output segment comes from LFSR B's initial state, is only true 
when the output is composed of the two Stop/Go Generators' 
output. But in case of ASG(r, s), the values of r and s can 
be very large numbers. So, the main assumption to apply 
the Johansson's attack does not hold for the ASG(r, s) in 
general. Therefore, we have to apply this attack to our ASG 
model for the ASG(r, s), but it is not possible. Because the 
Johansson's attack needs to know the feedback polynomials of 
the generator registers, B^ and Cs, but they are unknown in our 
ASG model. So, we have to search the r and s values to apply 
this attack. We can search these values in $ steps and apply 
Johansson's attack for each value of the r and s. The optimal 
complexity of this attack is 0($m222™/3) ^ 0{m'^2^'''/^). In 
the next section, our attack on the ASG(r, s) will be explained 
and compared to this attack in table III] 
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V. OUR ALGEBRAIC ATTACK ON THE ASG(r, s) 

The goal of an attack on the stream cipher is to recover the 
secret key or to predict and reproduce the rest of the keystream 
to recover the rest of the cipher text. In | [T3| an algebraic 
attack approach to a family of irregularly clock-controlled 
LFSR based systems is presented. The complexity of this 



attach on the original ASG structure is 0((m' 



)2'). But, 



its complexity on the ASG(r, s) is approximately 0{{mr + 
^3-j2'+'"+n-2-j -y^e make use of the same idea to attack the 
ASG(r, s) but we have improved its complexity significantly. 
If we XOR Zt by z^+i from ([8]l, we have: 

2:t®zt+i=^p®A^®(/3p+i®Aq)at®(/3p®Aq+i)(l®at). (10) 
Now, if we multiply both sides of ([T0]| by a^, we have: 

(zt®zt+i)(at) = (/?p®/3p+i)(at), (H) 
and if we multiply both sides of ( lOi by (1 ® aj, we obtain: 
{zt ® ^t+i)(l ® at) = (Aq ® A,+i)(l ® at). (12) 
From ( [TT| and ( [T2] l we conclude that: 




/3p ® Zt ® ^t+i 

\q®Zt® Zt+1 



(13) 



So, if we know the value of at, /3p and Ag, we can find /3p+i 
and Xq+i. Note that Zt and Zt+i belong to the known output 
sequence of the ASG(r, s). 

In our attack, we search over all possible values for the 
initial state of register A and produce the sequence a = 



ao, ai, at- Then, we guess the value of /3q and calculate 
Ao = 2^0 ffi Po- Now, by (13 1 we can find the bits f3p for p > 1 



and Xq for g > 1 as much as needed. 

Using the Berlekamp-Massey algorithm and 2m bits of (3 
and 2n bits of A, we can find the feedback polynomials and 
the initial states of the generator registers, and Cg, that 
can directly produce the sequences /3 and A regularly. Then, 
by the rest of the output sequence we can test our guesses 
for the value of /3q and the initial state of register A. As the 
complexity of Berlekamp-Massey algorithm is 0{n^) for a 
sequence of length n, the complexity of this part of our attack 



is equal to 0{{r 



Now, we have to find the value of parameters r and s and 
the initial states of LFSR B, Sb{0), and C, S'c(O). We first 
have to represent brt and bt by the Trace Function. The trace 
function, Tr„i{x), is a mapping from the finite field GF(2™) 
to GF{2) defined by 



Trjn{x) 



m— 1 
i=0 



Any m-sequence of period 2™ — 1 with characteristic 
polynomial which is the minimal polynomial of a primitive 
element a (of order 2™ — 1) in GF{2"'^) can be represented by 
the trace function as bt — Trm{ua*). Every nonzero element 
u e GF{2"^) corresponds to a cyclic shift of {bt}- In our case 
the situation is that we know Tb and have found and we 
want to find r and s. To find r we know already a and brt 
for {t = 0, 1, 2, 



.} as well as the relations ( 14i and ( 15 1. 



bt = Tr^ 



brt = Tr„i{ua^*) = Tr„r{uj*), 



(14) 
(15) 



where (7 = a^). We want to find u which is part of the key 
since it determines {bt}. First we guess a possible value for r 
and compute 7 = 0?''. Then we construct an equation system 

TO — 1}. This is an equation system 
The system has full 



by 



TSffor {t = 0,1,2, 
in the to unknowns u, v?, 
rank due to the special form of the coefficient matrix and can 
therefore be solved in complexity 0(771"^). If the solution of 
equation system, u, can regenerate correctly the sequence brt 
by using ( 15 1 for {t = to, m + 1, ...} for sufficiently many bits, 
our guess for r is correct. In other case, we have to repeat this 
process with new possible value for r. Then u is found and 
we can generate bt by using ( 14i for {t = 0, 1, 2, to — 1} 



which is the initial state of LFSR B. Similarly we can find 
the initial state in the other LFSR C. The complexity of this 
part is equal to Oi^i-m? + $2"^) = 0{m?2™^^ + rr'2:"^'^). 
Therefore, the total complexity of our attack is equal to: 



C = 0{{w? + 7i2)2'+i + TO^2"-i 



(16) 



Table [11] shows the complexity of the previous attacks and our 
attack on the ASG(r, s) to compare their efficiencies. In case 
of ^ = TO = n = 64, the best previous attack needs 2^^'^-^ 
steps to break the ASG(r, s), but our attack is significantly 
better and it can find the secret key only by 2^'^ steps. This 
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difference comes from our idea to find the values of r and s. 
In the previous attacks, the adversary has to guess the values 
of r and s by exhaustive search, and for each guess, the attack 
must be applied to the algorithm. But, in our idea, we do not 
need to know the values of r and s to apply our attack and 
we find these values independent of the exhaustive search over 
the initial state of register A. 

VI. Conclusion 

In this paper, we present an ASG model for the ASG(r, s) 
and also we present a new algebraic attack against the 
ASG(r, s). The designer of the ASG(r, s) claims that this 
structure is more secure than the original ASG, but we show 
that its security is not more than the original ASG. Our attack 
can find the secret key of ASG(r, s) by using of 3(TO + n) bits 
of the output keystream with 0{{m? + n^)2'+^ + to^2'"^^ + 
^32"- 1^ computational complexity. 

As far as we know, there is no efficient attack against 
the ASG(r, s) so far. The complexity of previous attacks is 
much higher than the complexity of our attack. In case of 
I = m ~ n = 64, the best previous attack needs 2^^^^'^ steps 
to break the ASG(r, s), but our attack can find the secret key 
only by 2^^ steps. Our attack can be applied to the original 
ASG structure. Its complexity is comparable to the best known 
attacks but our attack does not need to know the characteristic 
polynomial of generating registers. Applying our idea to other 
clock-controlled structures is a subject for future research. 
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